Closed
Bug 1632996
Opened 5 years ago
Closed 4 years ago
Phabricator emails: use a security group instead of username check to authorize API endpoints
Categories
(Conduit :: Phabricator, defect, P3)
Conduit
Phabricator
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: mhentges, Assigned: mhentges)
Details
(Keywords: conduit-triaged)
Attachments
(1 file)
When authorizing for the email endpoint, we currently just assert that the user's name is email-bot.
DKL mentioned in review that a security group could be a good solution.
The benefits of a security group are:
- No more username string matching
- Admins would be able to call the endpoint to debug issues without having to masquerade as
email-bot. - We could simplify the local development environment: right now, there's logic to remove the
email-botauthorization step in local development, but that makes testing security a little harder. Instead, using security groups and adding a dummy user accordingly could make it cleaner.
|
Assignee | |
Updated•5 years ago
|
Keywords: conduit-triaged
Priority: -- → P3
|
|
Assignee | |
Updated•5 years ago
|
Summary: Phabricator emails: use a security group instead of user check to authorize → Phabricator emails: use a security group instead of user check to authorize API endpoints
|
|
Assignee | |
Updated•5 years ago
|
Summary: Phabricator emails: use a security group instead of user check to authorize API endpoints → Phabricator emails: use a security group instead of username check to authorize API endpoints
|
|
Assignee | |
Updated•4 years ago
|
Assignee: nobody → mhentges
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 1•4 years ago
|
||
To improve debuggability in dev, qa, and prod, we allow users
other than "email-bot" to access the API.
|
|
Assignee | |
Updated•4 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•